what is POODLE Vulnerability
POODLE Vulnerability
=============================================
– SSL 3.0 [RFC6101] is an obsolete and insecure protocol
– Current TLS (TLS 1.0 [RFC2246], TLS 1.1 [RFC4346],and TLS 1.2 [RFC5246]) implementations remain backwardscompatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience
– Many clients implement a protocol downgrade dance to work around serverside interoperability bugs
– Attackers can exploit the downgrade dance and break the cryptographic security of SSL 3.0
– POODLE attack (Padding Oracle On Downgraded Legacy Encryption) will allow them, for example, to steal “secure” HTTP cookies (or other bearer
tokens such as HTTP Authorization header contents) and calculate the plain text of secure connections
Workaround
For all versions and releases of Apache based IBM HTTP server, enable strict CBC padding enforcement. Add the following directive to the httpd.conf file, for each context that contains “SSLEnable”, to enable strict CBC padding enforcement.
# Enable strict CBC padding
SSLAttributeSet 471 1
Restart the IHS instance for the changes to take effect.
NOTE: Enabling strict CBC padding enforcement has the following prerequisites:
* Maintenance levels: 7.0.0.33, 8.0.0.9, 8.5.5.2 or later
Hope you enjoyed reading this article. Thank you.
Leave a Reply
You must be logged in to post a comment.